#AxisOfEasy 237: Chinese Hackers Have Compromised U.S. State Government Networks


Weekly Axis Of Easy #237


Last Week’s Quote was “I wanted to change the world. But I have found that the only thing one can be sure of changing is oneself.” was by Aldous Huxley.  Congrats to Cartsen for getting the right answer.

This Week’s Quote:  “Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.”” … by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.

 


This is your easyDNS #AxisOfEasy Briefing for the week of March 14th, 2022, wherein our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy. 
 
In this issue:

  • Chinese hackers have compromised U.S. state government networks
  • Ukrainians, European allies targeted by Russian hackers
  • Argentinian eCommerce giant MercadoLibre confirms a data breach involving source code
  • Russia is the target of a new ransomware attack
  • Violence against Russian invaders is allowed on Facebook
 
Elsewhere online:

  • Attackers amplify DDoS attacks by 4 billion times using Mitel devices
  • Russia and China are increasing their cyberattacks against small businesses
  • Spoofing vulnerability has been discovered in Microsoft Defender for Endpoint
  • Big Tech alternatives get a boost as Google challenger DuckDuckGo joins the ‘disinformation’ purge 
  • Major Software Firms Issue Critical Security Patches

 

Chinese hackers have compromised U.S. state government networks 

Mandiant security researchers have discovered that at least six U.S state government networks were compromised due to a new hacking campaign by state-sponsored threat actors affiliated with China. The hackers exploited Log4Shell and other bugs to compromise these networks.

Researchers claim the activity between May 2021 and February 2022 indicates a deliberate campaign. However, the agency could not determine definitively whether APT41 operated for the state or its benefit.

The report included “significant new capabilities” such as new attack vectors and post-compromise tools and techniques. Initial access was gained by targeted .NET deserialization attacks, SQL injections, and directory traversals on web applications accessible through the internet.

In this case, APT41 successfully exploited a known bug in Log4Shell to compromise the commercial app USAHerds through a combination of zero-day attacks and known bugs.
Mandiant stated that APT41 could rapidly adapt its initial access techniques by re-compromising an environment via a different vector or exploiting a new vulnerability quickly. In addition, the group shows a willingness to retool and deploy capabilities through unknown attack vectors rather than storing them for future use.

Read: https://www.infosecurity-magazine.com/news/chinese-apt41-group-compromises/ 


Ukrainians, European allies targeted by Russian hackers

While Russian forces invaded Ukraine, various threat actors launched phishing campaigns against Ukraine, Poland, and other European entities, including Fancy Bear, Ghostwriter, and Mustang Panda.

Russian military intelligence’s GRU used Blogspot landing pages as a platform for social engineering attacks, according to Google’s Threat Analysis Group (TAG). It follows a warning from the Computer Emergency Response Team of Ukraine (CERT-UA) that warned of phishing campaigns targeting Ukr.net users via emails sent from compromised accounts containing links to credential harvesting pages controlled by attackers.

Ukraine and Europe are not the only targets of Russian and Belarusian threats. In Europe, TA416 plants malware, and UNC1151 delivers malware through HTML help files created by Microsoft.
Russia has also announced its decision to ban many social media platforms, including Facebook, and severed ties with U.S. technology companies, effectively creating an iron curtain and restricting access to the internet.

Read: https://thehackernews.com/2022/03/google-russian-hackers-target.html?&web_view=true 


Argentinian eCommerce giant MercadoLibre confirms a data breach involving source code

MercadoLibre confirmed that part of its source code had been unauthorized access. This did not appear to affect sensitive information. No credentials, accounts, investments, financial information, or credit card information were obtained, and it is not known if the company’s infrastructure systems were compromised.
With 140 million users, Mercado Libre is the largest e-commerce and payments platform in Latin America. MercadoLibre’s 300,000 users were also examined as part of its initial analysis. There is no indication that Mercado’s IT infrastructure was compromised or that sensitive data was exposed at this time.

There are no indications that our infrastructure systems have been compromised or that personal information such as passwords, account balances, investments, financial information, and credit card information was stolen. We are taking strict measures to prevent further incidents,” Mercado said.

Read: https://www.bleepingcomputer.com/news/security/e-commerce-giant-mercado-libre-confirms-source-code-data-breach/?&web_view=true 


Russia is the target of a new ransomware attack

As Russia and Ukraine engage in hostilities on the ground, a conflict is unfolding in cyberspace. Attacks are being launched against the Russian and Ukrainian sides, with a new wiper targeting Russia.

Trend Micro found several additional samples of this malware, dubbed “RURansom” by its developer. Despite its name, analysis has revealed it to be a wiper and not a ransomware variant because of its irreversible destruction of encrypted files.

The malware is written in .NET and spreads like a worm by copying itself to removable drives and shared network drives under the file name “Russia-Ukraine_War-Update.doc.exe.”

After successfully spreading, the malware then begins encryption. This is applied to all file extensions except for “.bak” files. The malware uses a hard-coded salt, unique keys for each encrypted file, and drops a “ransom” note into each encrypted directory.

Additionally, Trend Micro has discovered several versions of RURansom, some of which stop execution if the IP address where the software is launched is outside of Russia.

Malware developers are no exception to taking sides in the conflict between Ukraine and Russia. Evidence of this has been found in the recently exposed cyberattacks, like the Russian-based cybercriminal groups behind Conti and TrickBot, and the destructive wiper that has attacked organizations in Ukraine. Now, the RURansom wiper is seeking out Russian targets.

Geopolitically tense conditions have aggravated cyberattacks. For navigating this uncertain situation, the cybersecurity company advises to “keep defenses up, to be aware of misinformation, and to monitor the situation.”

Read: https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html?&web_view=true 


Violence against Russian invaders is allowed on Facebook

Facebook and Instagram users in some countries will be allowed to call for violence against Russian soldiers and Russian citizens as part of its temporary change to its hate speech policy.
A Meta spokesperson said in a statement that, in the wake of the Russian invasion of Ukraine, they’ve temporarily allowed for forms of political expression that usually would violate our rules, like calls for violence against Russian civilians. However, he said they wouldn’t tolerate credible calls to attack Russians.

The Russian embassy said on Twitter and Instagram that users weren’t entitled to determine the criteria of truth and pit nations against one another.
According to one email, the temporary changes in the policy apply to Armenia, Estonia, Georgia, Latvia, Lithuania, Azerbaijan, Hungary, Poland, Romania, Russia, Slovakia, and Ukraine.

Many social media platforms have introduced new content restrictions around the conflict. Meta, for example, is also allowing praise of the right-wing Azov battalion in the context of defending Ukraine.

Read: https://www.reuters.com/world/europe/exclusive-facebook-instagram-temporarily-allow-calls-violence-against-russians-2022-03-10/ 


Elsewhere online: 

Attackers amplify DDoS attacks by 4 billion times using Mitel devices
 
Read: https://thehackernews.com/2022/03/hackers-abuse-mitel-devices-to-amplify.html


Russia and China are increasing their cyberattacks against small businesses

Read: https://www.helpnetsecurity.com/2022/03/09/saas-security-events-smbs/?web_view=true

Spoofing vulnerability has been discovered in Microsoft Defender for Endpoint

Read: https://www.securityweek.com/microsoft-warns-spoofing-vulnerability-defender-endpoint 

Big Tech alternatives get a boost as Google challenger DuckDuckGo joins the ‘disinformation’ purge

Read: https://justthenews.com/accountability/russia-and-ukraine-scandals/boon-big-tech-alternatives-google-challenger-duckduckgo

Major Software Firms Issue Critical Security Patches

Read: https://thehackernews.com/2022/03/critical-security-patches-issued-by.html

 

Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:

 

 

 

 

2 thoughts on “#AxisOfEasy 237: Chinese Hackers Have Compromised U.S. State Government Networks

Leave a Reply

Your email address will not be published. Required fields are marked *